On Mon, Sep 29, 2025 at 2:15 PM Alex Russell <[email protected]> wrote:
> Thanks so much for making this easier to understand. Helps a lot, and as a > result, I now understand that the design has a problem: > > JSON allows a single string value as a valid payload; > e.g. JSON.parse(`"foo"`). This seems to be a problem for the design, which > relies on authors sending objects instead of strings as a reliable > discriminator. How can you validate that this isn't going to create issues > in the wild? > The explainer suggests conditioning RP behavior on the type, I think this works right? the IDP has to continue to know that tokens are always objects (just optionally encoded as JSON serialized strings), never just bare strings. But that's not a new requirement. Now of course there's the RP/IDP compatibility problem that comes from any new RP-exposed FedCM feature an IDP can opt-into and I assume that would be on IDPs to manage like they manage any other change in their protocol with their RPs. Eg. Google Sign-in would presumably update their SDK to support both token formats but wait for some period before actually sending the new token formats to all RPs (probably trialing only with RPs they know have updated). Whether it actually is worth the effort for any IDP to migrate is unclear to me. But if an IDP new to FedCM wanted this then I don't see a problem, right? > Best, > > Alex > > On Friday, September 26, 2025 at 1:41:51 PM UTC-7 Suresh Potti wrote: > >> Updated the explainer. Pls review. >> >> Thanks, >> >> Suresh >> >> >> >> *From:* Alex Russell <[email protected]> >> *Sent:* Wednesday, September 10, 2025 8:44 PM >> *To:* blink-dev <[email protected]> >> *Cc:* Yoav Weiss <[email protected]>; [email protected] < >> [email protected]>; Suresh Potti <[email protected]>; >> Chromestatus <[email protected]> >> *Subject:* [EXTERNAL] Re: [blink-dev] Intent to Ship: FedCM—Support >> Structured JSON Responses from IdPs >> >> >> >> You don't often get email from [email protected]. Learn why this >> is important <https://aka.ms/LearnAboutSenderIdentification> >> >> I like the change, but the linked "explainer" doesn't cover the ground we >> expect to see. Can you please draft a separate document for this feature >> and address questions raised in the GH thread in that doc? >> >> >> >> Thanks, >> >> >> >> Alex >> >> On Tuesday, September 9, 2025 at 5:33:34 AM UTC-7 Yoav Weiss wrote: >> >> LGTM1 >> >> This seems like a small yet useful addition. >> >> >> >> On Sat, Sep 6, 2025 at 5:51 AM Chromestatus < >> [email protected]> wrote: >> >> Contact emails >> >> [email protected] >> Explainer >> >> >> https://github.com/w3c-fedid/idp-registration/issues/13#issuecomment-3254858070 >> Specification >> >> https://github.com/w3c-fedid/FedCM/pull/771 >> Summary >> >> Allows Identity Providers (IdPs) to return structured JSON objects >> instead of plain strings to Relying Parties (RPs) via the >> id_assertion_endpoint. This change simplifies integration for developers by >> eliminating the need to manually serialize and parse JSON strings. It >> enables more dynamic and flexible authentication flows, allowing RPs to >> interpret complex responses directly and support varied protocols like >> OAuth2, OIDC, or IndieAuth without out-of-band agreements. >> >> >> Blink component >> >> Blink>Identity>FedCM >> <https://issues.chromium.org/issues?q=customfield1222907:%22Blink%3EIdentity%3EFedCM%22> >> Web Feature ID >> >> fedcm <https://webstatus.dev/features/fedcm> >> TAG review >> >> https://github.com/w3ctag/design-reviews/issues/1147 >> TAG review status >> >> Issues open >> Risks >> >> >> Interoperability and Compatibility >> >> None >> >> >> >> *Gecko*: No signal comments from Ben Vandersloot in >> https://github.com/w3c-fedid/meetings/blob/main/2025/2025-07-29-FedCM-notes.md#status-of-cr-blockers, >> No strong opinions >> >> *WebKit*: No signal >> >> *Web developers*: Positive >> >> *Other signals*: This was requested by Identity providers. >> Ergonomics >> >> n/a >> >> >> Activation >> >> n/a >> >> >> Security >> >> n/a >> >> >> WebView application risks >> >> *Does this intent deprecate or change behavior of existing APIs, such >> that it has potentially high risk for Android WebView-based applications?* >> >> n/a, FedCM not supported in WebView >> >> >> Debuggability >> >> Same as other FedCM features. The network view in devtools would be >> especially helpful for debugging this feature. >> >> >> Will this feature be supported on all six Blink platforms (Windows, Mac, >> Linux, ChromeOS, Android, and Android WebView)? >> >> No >> >> FedCM in general is not supported on webview. Supported on all other >> blink platforms. >> >> >> Is this feature fully tested by web-platform-tests >> <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md> >> ? >> >> Yes >> >> >> https://wpt.fyi/results/fedcm/fedcm-flexible-token?label=experimental&label=master >> >> >> Flag name on about://flags >> >> None >> Finch feature name >> >> FedCmNonStringToken >> Rollout plan >> >> Will ship enabled for all users >> Requires code in //chrome? >> >> False >> Tracking bug >> >> https://issues.chromium.org/346567168 >> Estimated milestones >> >> Shipping on desktop >> >> 143 >> >> Shipping on Android >> >> 143 >> >> >> Anticipated spec changes >> >> *Open questions about a feature may be a source of future web compat or >> interop issues. Please list open issues (e.g. links to known github issues >> in the project for the feature specification) whose resolution may >> introduce web compat/interop risk (e.g., changing to naming or structure of >> the API in a non-backward-compatible way).* >> >> none >> Link to entry on the Chrome Platform Status >> >> https://chromestatus.com/feature/5153509557272576?gate=5128781719273472 >> >> This intent message was generated by Chrome Platform Status >> <https://chromestatus.com/>. >> >> -- >> You received this message because you are subscribed to the Google Groups >> "blink-dev" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion visit >> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/68bbafb9.050a0220.257801.01b2.GAE%40google.com >> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/68bbafb9.050a0220.257801.01b2.GAE%40google.com?utm_medium=email&utm_source=footer> >> . >> >> -- > You received this message because you are subscribed to the Google Groups > "blink-dev" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion visit > https://groups.google.com/a/chromium.org/d/msgid/blink-dev/1d3e8c39-9a65-4780-8fc1-077910889d2fn%40chromium.org > <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/1d3e8c39-9a65-4780-8fc1-077910889d2fn%40chromium.org?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAFUtAY94pO%3DosTP2Y9FoKwtHL%3DwYoCfXHfyLycfX_qQNZQ54ww%40mail.gmail.com.
